Bug 690581
| Summary: | Security fixes in Cacti v0.8.7g for EPEL4/5 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Dan Young <dyoung> | ||||
| Component: | cacti | Assignee: | Gwyn Ciesla <gwync> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | el4 | CC: | gwync, ktdreyer, mmcgrath, vdanen | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-12-13 18:08:56 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Dan Young
2011-03-24 17:28:49 UTC
Working on a pair of bugs, if they're good I'll push it to rawhide, F-15-14-13, EL-4-5-6. Not sure if this is one of your bugs...
I tried an upgrade of 0.8.7.f to 0.8.7.g (rebuilt 0.8.7g for EPEL4) which cratered due to the upgrade script not working. Bug seems to be in db_fetch_cell('select cacti from version') in either /usr/share/cacti/install/index.php or /var/lib/cacti/cli/upgrade_database.php.
I can file this separately if you like.
It is. If you have a patch, attach it to this BZ and I'll have a look. Patch attached. Here's the corresponding upstream commit: http://svn.cacti.net/viewvc/cacti/branches/0.8.7/lib/database.php?r1=6233&r2=6321 I tested it as far as the web-driven upgrade process. The /var/lib/cacti/cli/upgrade_database.php script still fails as there's no 0_8_7f_to_0_8_7g.php in the array at the top. Created attachment 490100 [details] Cacti database upgrade works after this patch. The upstream commit references this bug: http://bugs.cacti.net/view.php?id=1646 which is for SSL MySQL support? And yet it fixes the upgrade operation... Any progress on this issue? Ping? Sorry, been swamped. I just approved kdreyer for EL-5, are you working on this or shall I? I currently have a few spare cycles so I was going to try to get this fixed for EL-5. I don't have an EL-4 box available to test, so someone else will need to handle that branch. My production Cacti is on EL4 so I'd be willing to do some footwork to make this happen. Jon, you mentioned other issues besides the DB upgrade that were outstanding. If you can summarize and point me at those, I'd be willing to take a look. Thanks. Dan, if you're interested feel free to apply for commit privs at https://admin.fedoraproject.org/pkgdb/acls/name/cacti . And Jon, I'll second Dan's request for more information re: your comment #1. I see #609856 and #665773 are open in BZ, but was there something more? cacti-0.8.7g-1.el5.1 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/cacti-0.8.7g-1.el5.1 https://bugzilla.redhat.com/show_bug.cgi?id=665773 https://bugzilla.redhat.com/show_bug.cgi?id=609856 Are pretty much it. cacti-0.8.7g-1.el5.1 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. Dan, I've pushed 0.8.7h to EL4: https://admin.fedoraproject.org/updates/cacti-0.8.7h-1.el4 I don't have an EL4 box here to test. Your feedback would be appreciated. This error was logged in /var/log/cacti/cacti.log on upgrade from 0.8.7.f: [Fail] ALTER TABLE `data_template_rrd` ADD UNIQUE INDEX `duplicate_dsname_contraint` (`local_data_id`, `data_source_name`, `data_template_id`) Some related discussion here: http://forums.cacti.net/viewtopic.php?f=11&t=42925 Cacti seems to work anyways, FWIW. I'm not sure I'm in a position to recommend you push the update or not. Given the imminent end of regular support for EL4, we're not likely to stay on it much longer. Thanks for the feedback. Were you able to actually update the DB to 0.8.7f ok? I'm inclined to push cacti-0.8.7h-1.el4 out since it has a fix for SQL injection and XSS, and the upstream bug (1646) mentioned in Comment 5 made it into 0.8.7h... but maybe there's something else lurking that's incompatible with EL4? (In reply to comment #17) > Thanks for the feedback. Were you able to actually update the DB to 0.8.7f ok? ...I meant 0.8.7h here, sorry. (In reply to comment #18) > (In reply to comment #17) > > Thanks for the feedback. Were you able to actually update the DB to 0.8.7f ok? > > ...I meant 0.8.7h here, sorry. Yes, it did update, though with the aforementioned database error. I certainly think the security issues, etc. are worth updating for, though I wish I understood what was happening w/ the SQL error on database upgrade. Could just be our Cacti database... If it's "just" an index and there is no visible performance penalty, I'm less inclined to care. I pushed 0.8.7h for all branches back in November (#748451), so I'm going to mark this as "closed". 0.8.7i was released today with more security fixes. Please see #766573 for tracking that effort. |